I have noticed that a lot of new exit nodes have recently appeared on the network. This is great news, since exit nodes are typically on the scarce side. Exits usually occupy 30-33% of network by capacity, but are currently at a whopping 38.5% (156 MBytes/sec out of 404 total).

However, I want to make sure that these nodes stay up and don't end up being shut down due to easily preventable abuse complaints. I've run a number of exit nodes on a few different ISPs and not only have I lived to tell about it, I've have not had one shut down yet. Moreover, I've only received about 4 abuse complaints in as many years of running exit nodes. This is in stark contrast to other node operators following a more reactive strategy. I'm convinced this is largely because I observe the following pro-active guidelines. This guide is primarily US centric. Operators in other countries may have slightly different best practices (such as registering with RIPE and not ARIN).

1. Inform your potential ISP(s)
In general, running an exit node from your home Internet connection is not recommended, unless you are prepared for increased attention to your home. In the USA, there have been no equipment seizures due to Tor exits, but there have been phone calls and visits. In other countries, people have had all their home computing equipment seized for running an exit from their home internet connection. So you will need to find a good colo and save your home connection for bridge or middle node use. Plus, bandwidth will be much cheaper in a colo center anyway.

Pick an ISP you can trust, and let them know exactly what is going on. A good first email is to ask them if they have an AUP you can read if you can't find one online. You should also ask them if they can provide the services mentioned below in this document, such as additional IP addresses, SWIP, and reverse DNS, and if these services might cost extra.

In a follow up email, you should explain Tor to them, and why it is important to the Internet, the world, and to you, their potential customer. Giving them links to our Tor Users, Tor Overview, Tor Legal FAQ and Tor Abuse FAQ is typically immensely helpful. Mentioning China and the current conflict in Iran are also likely to be helpful. If your ISP is your University, you may also want to peruse this set of recommendations specific to dealing with University administrators.

If your ISP does not approve, all is not lost: you can look into running a middle node, or a much less visible bridge node. It is better to learn this up front, rather than have your Internet connection shut down on you without warning. Exit bandwidth is often scarce, but any node is better than no node.

2. Get a separate IP for the node. Do not route your own traffic via this IP. Having a separate IP allows your ISP to more easily recognize that abuse complaints and DMCA notices can be forwarded to you to be quickly responded to with a boilerplate response, as opposed to cutting off your Internet access or providing your personal information to the copyright cartels.

3. Get recognizable Reverse DNS for this IP
Setting a good reverse DNS name for your exit IP helps to prevent knee-jerk reactions from sysadmins and DoS kiddies alike who run into bad apples coming from your node IP. Something like tor-exit.yourdomain.org or tor-proxy-readme.yourdomain.org is the best bet.

4. Set up a Tor Exit Notice
Once you have a good reverse DNS name, you should put some content there that explains what Tor is for those who see the name and try to visit it via http. If you run your DirPort on port 80 with Tor 0.2.1.x or newer, you can use the Tor config option "DirPortFrontPage" to display a notice explaining that you are running an exit node. A sample one is provided in contrib/operator-tools/tor-exit-notice.html in the source distribution. This way, when someone sees tor-proxy-readme.yourdomain.org in their logs, they hopefully will get the hint and read the notice before flaming you. Be sure to update the contact info and other places marked with FIXME in the notice.

5. Get ARIN registration (if possible)
If you can get your ISP to SWIP your IP block to display a contact and abuse email that you control, this can go a long way to reducing aggravation that they may feel from dealing with the occasional abuse complaint, because the vast majority of the few complaints that are still made will go to you instead of them.

Having your own SWIP allocation is so important to your success that it is worth specifically offering to pay the ISP extra for it if they initially refuse. RWHOIS is another possibility, but it should be considered a second choice, since most people just check the SWIP record.

Templates at ARIN change periodically, so some ISPs may be reluctant to do the paperwork for you if it means changing their submission scripts. Again, offering to pay for this service is a good idea, if they initially stall or refuse.

6. Consider a Reduced Exit Policy
If your node is in the USA, you should consider using a reduced exit policy. Excessive bittorrent abuse over Tor unfortunately means you will likely receive a deluge of DMCA abuse complaints. We (including the very smart lawyers at the EFF) believe Tor nodes qualify as transmission providers under DMCA 512(a), not 512(c). This makes them exempt from "notice and takedown" procedures, including the need to issue "putback" responses. The EFF has even prepared a template response for improper DMCA 512(c) takedown notices that you can use.

However, your ISP may see things differently. If the abuse complaints are arriving in their staff's inbox, they may just want them to stop coming so they do not have to spend resources dealing with them, regardless of their merit. If they still won't provide SWIP registration, you can try a reduced exit policy. Other operators have had great success with using a reduced exit policy consisting of ports 20-23, 43, 53, 79-81, 88, 110, 143, 194, 220, 443, 464-465, 543-544, 563, 587, 706, 749, 873, 902-904, 981, 989-995, 1194, 1220, 1293, 1500, 1723, 1863, 2082-2083, 2086-2087, 2095-2096, 3128, 3389, 3690, 4321, 4643, 5190, 5050, 5222-5223, 5900, 6666-6667, 6679, 6697, 8000, 8008, 8080, 8087-8088, 8443, 8888, 9418, 9999, 10000, and 19638. In fact, the operator of 4 of our fastest exit nodes has reported that after switching to this policy from the default, the bittorrent DMCA complaints ceased immediately.

With that list, the only abuse complaints you should see will come from occasional comment spam (ports 80 and 443), email spam to misconfigured email servers (port 465 and 587 are supposed to be for authenticated SMTP only), and misconfigured NNTP servers (port 563 is authenticated NNTPS). You may want to review Moritz Bartl's abuse complaint template set, as well as the Tor Abuse Template set, and the Tor Abuse FAQ for information on how to handle these rare cases, when they do come up.

7. Rate limit and optionally QoS your node
I've recently conducted some measurements that showed that nodes that used Tor's BandwidthRate config option to set a limit slightly below their actual capacity were much more reliable than those that did not. Along these lines, it may also be useful to use this Linux-based QoS script to prioritize your Tor IP traffic below other traffic on your machine. Similar QoS can also be achieved via DDWRT, openwrt and of course via commercial routers. If you do use QoS other than that script, you should ensure that you provide Tor with a reasonable minimum bandwidth so that it does not starve when you do other things. Somewhere between 33 and 50% of your connection is a reasonable minimum value.

8. Consider creating an LLC to run your node
If you are a high capacity exit node operator, you should consider forming an LLC or similar corporate entity for several reasons.

First, as a high capacity exit node, you may wish to collect donations from others who are unable to run exits themselves but would still like to support the effort. Creating a separate entity with a separate bank account is a really wise idea once outside money becomes involved.

Second, corporate entities provide you with some level of shielding against headaches. Typically, you are required to list a legal representative to act on your behalf to accept legal service and to answer complaints (an Agent for Service of Process). In the United States, this point of contact is the only public piece of information you are required to give anyone about your corporate entity. This point of contact doesn't have to be you, and organizations exist to provide this service at nominal fees ($50/yr). This means that if someone decides to pay a visit, they are visiting this publicly listed legal point of contact, as opposed to your home.

Third (but related to the above), a corporate entity immediately implicitly signals that you are legally savvy and not easily intimidated by empty legal threats. For example: for some reason, some companies see legal threats as better solutions to crawling abuse than say, implementing a captcha. No one has yet brought suit against any Tor operator, but having a corporate entity as that operator tells any potential trigger-happy litigants that you are not likely to be easy pickings.

In the US, the cost of setting up an LLC with good privacy protections is between $100-$1000/yr, depending upon the state you incorporate in and the services you contract from independent providers (such as preparing and filing the paperwork for you, and phone+mail forwarding). States that have laws that make this process easy are Nevada, New Mexico, Wyoming, Montana, and to a lesser extent Delaware. States to avoid include Massachusetts and California (though the latter cannot be avoided if your ISP is also in California -- you must pay a $900 'franchise fee' to CA if you do most of your business there, regardless of incorporation).

You do not have to be a resident of a state to incorporate there. In fact, in most of the states listed above, you do not even have to be a US citizen. It is also never too late to switch your existing exit nodes from your personal control into the hands of a newly formed LLC. All you need to do is inform your ISP, and have the newly formed LLC begin paying the bill from its bank account.

We do not want to recommend specific services here, because we have not personally used them all, but full-service remote incorporation services for those states are easy to find on the web.

Thanks so much for this post. I was running an exit node a few days ago and ended up using ~20GB in 24 hours! I had to shut it down because my ISP (Comcast, bastards) was checking my ports and seemed to be cutting me off, as the traffic on my circuits dropped WAY off.

Yeah, it's likely you weren't discovered by port scanning and more likely by the total bandwidth use. However, if you're sure that is port scanning, you can put your Tor server on an unused high-numbered port (check /etc/services for blank ranges) and then customize your firewall rules to DROP as opposed to REJECT packets to your unused port ranges on your machine. DROP rules greatly increase the time it takes to port scan your machine, because scanner's packets need to be retransmitted many times to differentiate between normal packet loss and DROP rules. Also, choosing an infrequently used port will often completely escape scanners' notice, because they typically scan frequently used ports to save time. You probably also want to disable your DirPort in this case too, as that is plain text http, often contains strings that say "Tor" and easily seen by filters at *your* ISP.

There are also rumors that some of Iran is blocking port 443, so putting your Tor server on strange ports is actually helpful for that too.

Note this likely only makes sense for middle and bridge nodes. Exit nodes will be so noisy you'll eventually get some sort of abuse complaint if you don't follow Mike's steps (and possibly sometimes even if you do, it sounds like).

The rationale here is understandable, but #1 & 2 appear to have the undesirable side effect of making exit point surveillance by Government Organizations easier, assuming that the ISP in question is colluding with them (frequently the case, and in many nations, mandated by law or regulation). Is my conclusion in error? This might be less of a problem if a TOR user could whitelist or blacklist specific exit point countries (this rests on a presumption that authorities in Venezuela, for example, would likely be relatively uninterested in issues that are locally "sensitive" in Iran, for another example, and vice versa). Is there any tool in TOR that allows this? I do understand that the trade-off for wide use of such a capability would be a potential net reduction of bandwidth in an already constrained network.

Exits are already listed in the Tor directory that clients use, which is public. The Tor project also provides a DNSRBL with Tor exit nodes to prevent incorrect blocking of Tor nodes that do not actually exit: https://www.torproject.org/tordnsel/

So the additional threat of government monitoring is not really a valid argument.
However, it might be the case that your ISP doesn't figure it out until you till them, but that will only last until your first abuse complaint if you are running an exit.

Another useful tactic might be to register your reverse DNS domain name with a top level country code that is not the same as the jurisdiction for your IP address. It might be the case that the "copyright cartels" (lol) and others will give up if they see a .se domain name, or similar :)

I fear it won't actually make a lot of difference... for the most part, I think, they're just running scare tactics. As a result, even if the DMCA notices are irrelevant, will never be pursued, and will generally get ignored, they're still increasing their coverage at no extra cost. However, I suppose at some point they've got to make a decision about whether they're going to attempt to make a lawsuit stick, and a .se (or similar) reverse DNS may mean you get filtered-out early in that process.

Excessively simple perhaps, but arguably effective, for parties at both ends of the pipe. Now if there was a mechanism for clients in a given location to select an exit node that only exited to IP space in some defined elsewhere, a user in that location could have a little bit more comfort (never guaranties!) in his or her privacy.from the snooping noses of das Heimatland Sicherheit and ilk.

>We had an excessively simple strategy for reducing entanglements: being based in the >US, we only allowed exit to IP space delegated to Europe, Asia, etc.

Re the subject and previous comments. Apparently this is possible, see TOR FAQ 3.15. However, it is not recommended, for several reasons. In that same FAQ item, there is a reference to using Blossom for this purpose. Has anyone here tried this? Is it possible to just run the Blossom client service that allows this option with an existing TOR client, or are the two clients mutually exclusive? Also, my intent was not to hijack this thread; it might be best if someone could fork this into a separate topic.

Our non-US exit strategy was the outgrowth of an idea that seems to have been largely ignored by Tor developers.

IPv4 space is largely (not completely reliably) delegated to entities called Regional Internet Registries (RIR's) in large swaths. The RIR is then responsible for passing out space to the entities in its region. There are entanglements, such as multinationals, or legacy delegations, but in large part, you can wave your hands a bit and know that any IP address between 77.0.0.0 and 95.255.255.255 is handled by the European RIR, RIPE, IP addresses between 110.0.0.0 and 126.255.255.255 are handled by Asia Pacific's APNIC, etc. You can fairly readily break down large chunks of space by RIR based on the first octet, sorting unknown or mixed use stuff into a different category.

This means that it would be fairly easy to generate "buckets" that roughly categorize IP space. Tor nodes could be separated into each of these buckets, and you could have a rough idea that you'd likely be crossing political boundaries anytime you went from one bucket to another, simply because most countries do not exist in multiple geographic regions.

So you categorize Tor nodes into buckets while indexing them: this is a 256-entry database plus a half page of code.

Now, you can do things with that data. Rather than just "randomly" picking Tor nodes for a circuit, you could prefer a first hop outside your own bucket, a second hop in neither of those buckets, and a completely random third hop. So when your US-based PC goes to Amsterdam for the first hop, Taiwan for the second, and ends up exiting in Canada, you've done a lot to make it more difficult for any one country to track back to you.

Perhaps we don't have to worry about this in the US, but looks like the Iranians do.

Getting back to the previous comment, however ----

For those of you who would like to allow exit to non-local space, I suggest looking at

Determine your own RIR (ARIN, APNIC, etc) and then generate a list of prefixes that are served by *other* RIR's. Allow exit to those prefixes. For example, a host in America can probably more safely offer exit to 41.*, 51.*, 58-62.*, etc.

I am running a TOR Bridge here in Darwin Australia for the Nedanet i am under constant heavy network hacking attacks originating in china you name it and there trying it !! I think a good tip for anyone running Tor is to make sure you have a better than average firewall setup ... i also run a DMZ from the router to a locked down linux box ... i have noticed also no network scanning or attacks from iran .... makes me wonder if China helps Iran with their IT security ?

I've followed mikeperry's advice and sent my ISP a heads-up, suggested URLs and all. And, somewhat to my surprise, instead of some e-mail boilerplate in 48-hours or so, I got a phone call from "Steve" in within three hours. Suffice to say, 1) I shall call him tomorrow and ask him to respond exclusively via e-mail from now on, as I'm severely deaf, and 2) determine what level of service I can can be to Tor which is within the ambit of CableOne's AUP, savvy?

I rather suspect that inasmuch as I had for a day or so checked off everything on Vidalia's exit node configuration, "Steve" shall play the Moral Panic card. My usage was 1.5G in in March, 3.0 in in April, and 2.4 in May, but 8.0 in June due to Tor, so I figured that I might've raised a red flag somewhere.

Any and all advice would be appreciated. Basically, I want a stable state of whatever it is I can get away with re Tor within my ISP's AUP. Think Venn diagram.

hi there,
is it possible to have a special build only allowing my exit node for clients originating in china, iran etc.? unfortunately i don´t know very much about this software but am unwilling to hassle with problems from my isp. right now i´m running only in bridge mode.
i think there might be a lot more people out there like me that would install a special iran package without having to think about it anymore

This wouldn't work. The exits don't know where the client resides. If this was possible, it would quickly turn the users into a special set which may be easier to track down. Fragmenting the Tor network into a series of partitions makes everyone less anonymous.

Despite the local CableOne tech telling me in the morning that Tor wasn't a problem and that bandwidth wasn't an issue (especially between midnight and noon), that afternoon I came home after work to a nasty DMCA take-down notice and a frozen ISP account. I could receive mail, but that was it, and so perforce had to deal with the sanction by phone... Apparently someone had sent a bit torrent through my machine. Some game... I'm no gamer.

Well! I steered everyone and their dog to the EFF's legal boilerplate, but it was only today that I finally reached someone who knew what they were talking about, Tech No. 2, and he informed me that Tor on a residential account was in itself a no-no. And by then I no longer had the nous to contest the matter. I had acted in good faith & received bad information, and that was that. Time to move on. (He was very interested in the identity of Tech No. 1!)

You learn by doing. Knowing then what I know now, I probably would have stuck with a humble relay or bridge node and stayed under the radar. Parse your TOS's and AUP's well!

A local CableONE executive has admitted that their AUP is deliberately vague, but inasmuch as he hasn't told me what of Tor if anything I can run, I am currently running a bridge relay on occasion. My reading of their AUP is that so long as I'm not degrading anyone's service or doing anything illegal, I'm good. If I'm wrong, there's always Qwest!

"Our non-US exit strategy was the outgrowth of an idea that seems to have been largely ignored by Tor developers."

I may yet have to try that strategy. I thought I had found a viable alternative by using the "excludeexitnodes" directive in torrc, but experimentation indicates that even after paring the excluded jurisdictions down to just one, the directive is still ignored more often than honored in the interests of building what tor considers to be a viable network. That is not a complaint, just a results report from one experiment. More to follow.

I may have taken the documentation of "StrictExitNodes" in the manual too literally, as it mentions its use only in conjunction with "ExitNodes", not "ExcludeExitNodes" (and yes, I do have that one coded correctly :-) Thank you, that is worth a try. Be right back...

Unfortunately my first impression was correct. Using "StrictExitNodes 1" with "ExcludeExitNodes {XX}" produces a log message "[Warning] StrictExitNodes set, but no ExitNodes listed." Of course there is an obvious, if ludicrous alternative - use "StrictExitNodes 1" with "ExitNodes", passing the entire list of country codes except those to be excluded. I've already coded the list (good thing that wasn't tedious :-) It occurs to me to wonder if ExitNodes/torrc will accept an 800 char parameter string (246 each ISO 3166-1 alpha-2 codes x 4 chars ). I further wonder just how rigorously that part of teh code has been tested for bounds checking and buffer overflows :-0 I will learn at least some of those answers, I believe...

No joy. With 238 country codes specified on ExitNodes, the log message is "[Notice] Have tried resolving or connecting to address '[scrubbed]' at 3 different places. Giving up." Restoring the redacted country codes and/or changing "StrictExitNodes 1" to "StrictExitNodes 0" produces the same message. Evidently it is choking on too long a parameter string, or the process is timing out while it attempts to process it (probably the latter). I needed to try it though - thanks for the help. I'm back to "ExcludeExitNodes {XX}" - at least Tor takes that one "under advisement" :-)

I used to run an exit node on a server hosted by intergenia (server4you), germany.

I first got notified of a complaint they received reagrding botnet activity, so I restricted the outgoing ports to HTTP and a few similar only, as well as told them the usual (its running a TOR exit node, links to the FAQ and legal disclaimer, etc...)

It went well for a couple of month, when they contacted me again, after receiving another complaint from a corporation that complained about "spying out information by electronic means" which is a crime since a couple of years ago.
the HTTP request in question was something like GET /internal/search?*.* HTTP/1.1
on port 80

The ISP informed me that "regardles of who or what caused that traffic originally, I'd be legally responsible for traffic originating from my IP, and if they'd get any more complains they'd take the entire server of line at my cost, and terminate the contract."

I am no lawyer, though this sounds pretty much like bullshit to me.
Nevertheless the TOR is no longer running as an exit node.
Does anyone know a hosting provider in germany that will accept open proxies and the like in their IP range?

I think the solution to the problem is simple. Use prepaid debit cards, pay monthly, and don't use your real name! They won't be able to come after you then. Nobody would have enough information to go after you at least. At least nobody with enough interest to. It wouldn't be a criminal matter. Setup the thing via a wifi connection at a coffee shop too because trying to go through Tor to sign-up for the ISP/host with get your account suspended from the get-go. Everybody thinks a foreign IP and/or changing IP means fraud.

Another option is to contact the CCC in Germany and see if the ISP's legal thoughts are correct. In most countries, Tor is like a common carrier, where you are not responsible for the traffic it carries. ISPs generally bend this into "your fault, not ours" and people accept it.

Great tips. Tor is a traffic routing network. I personally have never experienced problems using the Tor Network. Generally, most computers that join Tor are good ones and have the intent to help others. Security is very important especially when it comes to your computer.

Nice one..
I completely agree but I also think experimentation indicates that even after paring the excluded jurisdictions down to just one, the directive is still ignored more often than honored in the interests of building what tor considers to be a viable network.online games

I have a question for you ExitNode experts. There are only a few people who run ExitNodes for the whole of the UK. So, as a tor user, if I always exit through one of those, say, 10 nodes does that mean that I always appear to have one of 10 ip addresses to programs that would check for my ip address ?

If the above is true then I would be surprised how easy it would be to ban those specific IPs as 'not really being trusted to only have people from the UK'. Or is there some IP trickery built into tor that keeps the IPs more random ...

Good article!!!!!!! Also the port 8088 is sometimes used for HTTP!!!!!

However, and i wrote this to the TorProject, there is the threat of ACTA on coming!!!! remember!?!!! «If it'll pass, you won't have anymore a safe harbor nor anything to protect tor nodes whenever they're used to download copyrighted things!!!!! It isn't something like the DMCA!!!!! It's a world-wide law (or almost!!) so it'll apply in the USA, Europe (Sweden and Germany included!!), Australia, Japan, and so on!!!!!!
What's also funny, is that criticizing the pro-copyright (or anti-piracy) laws will be "illegal" too!!!!!!!!!!!!! It's the freedom of speech, as seen from lobbyists!!!!!
Yeah!!! Say goodbye to the TorProject, if ACTA will go through!!!!!»

For we Windows uses that are not high tech as opposed to lazy --- How do we tell if the IP provider might be a problem? I have been running two bridges for a year and every so often the just stop showing any traffic. I have found the only way to get them going again is to uninstall the program and reinstall it. Yes I know I have been told I shouldn't have to do that but for now it that or just quit.

Suffice to say, the EFF runs a relay, and so do I; CableOne has a three-strikes policy, and furthermore at the second and third strikes you have to deal, not with help desk morons by phone, but with lawyers by snail mail. I wish I had had some of the fresher salient information in this thread a year ago, but as it is, a tip of the hat to those running exit nodes...! (kencf0618)

How do we tell if the IP provider might be a problem? I have been running two bridges for a year and every so often the just stop showing any traffic. I have found the only way to get them going again is to uninstall the program and reinstall it.

It's not the IP provider. And you meant to say ISP. It's something with your computer that is screwy it would appear most likely. Even if it isn't and it does haves something to do elsewhere it isn't the ISP. That's about the only thing you can be sure of.

I just had to shut down my exit node due to DMCA complaints for bittorrent traffic. My exit node received 7 DMCA complaints within two months. After the first two, I restricted my exit policy just slightly more open than what's listed in this article, but still pretty limited. That delayed the next couple complaints, but they kept coming. The provider was very understanding, but were getting pressure from their upstream provider. I know it's a necessary evil, but the bittorrent traffic really hurts the tor network.

The key thing about the ports listed here is that there are only ~60 of them, which represent the 60 most commonly used ports. This drastically reduces the odds that a bittorrent user will select your node.

Since bittorrent clients can be run on any port, and most of them pick random ports, every port you add to your exit policy increases the probability of a bittorrent client using your exit node to connect to a monitored peer that is listening on that port. This means that enabling ranges of ports is especially bad, unfortunately. Each new port adds 1/65535 to your risk of getting DMCA takedowns.

I too am in the same situation. There is very little documentation on the subject. From what I can see, one simply adds ExcludeExitNodes 255.255.255.2,255.255.255.3 ... to thier torrc config file. No matter what I do I just cant get this to work. Tor continues to use the Excluded Exit nodes.

I've been running a relay and a bridge relay continually since my last comment (in July 2010) without any trouble whatsoever. Not a peep from anyone. Given that my ISP doesn't want to deal with the DMCA legal paper overhead, and just cuts you off at the knees if they get a take-down notice, I'm sticking with what works. I'm not front line, exit node troop, I'm a stable segment in the logistical tail. (kencf0618)

Your post says "In the USA, there have been no equipment seizures due to Tor exits",

but this is contrary to what the EFF says:
"This spring, agents from Immigration and Customs Enforcement (ICE) executed a search warrant at the home of Nolan King and seized six computer hard drives in connection with a criminal investigation."